How to generate publick key from R,S,Z sighnature ?

[COBRAS]

Subj.


Looking for a python scrypt or code for transaction with 1 and many inputs/outputs.



Thanks.

[OddyseyGames]

Hi. If I am not mistaken, then you can use this library for your purposes.

https://github.com/petertodd/python-bitcoinlib

[stanner.austin]

@COBRAS
If you have Random(R)/sign(S)/message hash(Z) you can use simple algo.
pub = (R*S-G*Z) / R

[BlackHatCoiner]

I'm utterly confused by the title and the OP. Do you want to derive the public key from the R, S, Z values or from a transaction raw that may have many inputs/outputs? If it's the former, it's impossible, if it's the latter then what you want is the bitcoin-cli decoderawtransaction in python.

python-bitcoinlib should have this.

[pooya87]

Do you want to derive the public key from the R, S, Z values or from a transaction raw that may have many inputs/outputs? If it's the former, it's impossible,

It is possible.

The logical way is to just read the transaction and almost all signatures come with their public key and viola you have the public key!

The other way is to perform what is known as public key recovery operation (section 4.1.6 of Standards for Efficient Cryptography 1 vol. 2). This way you can recover a number of possible public keys from signature and message.
Cryptography libraries that support ECC should have this option. In bitcoin libraries you may find it used in message verification methods.

[COBRAS]

Do you want to derive the public key from the R, S, Z values or from a transaction raw that may have many inputs/outputs? If it's the former, it's impossible,

It is possible.

The logical way is to just read the transaction and almost all signatures come with their public key and viola you have the public key!

The other way is to perform what is known as public key recovery operation (section 4.1.6 of Standards for Efficient Cryptography 1 vol. 2). This way you can recover a number of possible public keys from signature and message.
Cryptography libraries that support ECC should have this option. In bitcoin libraries you may find it used in message verification methods.

I thant filter rsz for needed pubkeyvand remove all what have not exact needed pubkey.

[BlackHatCoiner]

The other way is to perform what is known as public key recovery operation (section 4.1.6 of Standards for Efficient Cryptography 1 vol. 2).

True. Learnt something new today.

Actions: Find public key Q as follows.

1. For j from 0 to h do the following.
1.1. Let x = r + jn.
1.2. Convert the integer x to an octet string X of length mlen using the conversion routine
specified in Section 2.3.7, where mlen = (log₂p)/8 or mlen = m/8.
1.3. Convert the octet string X to an elliptic curve point R using the conversion routine
specified in Section 2.3.4. If this conversion routine outputs “invalid”, then do another
iteration of Step 1.
1.4. If _nR ≠ O, then do another iteration of Step 1.
1.5. Compute e from M using Steps 2 and 3 of ECDSA signature verification.
1.6. For k from 1 to 2 do the following.
1.6.1. Compute a candidate public key as:
Q = r^-1(sR − eG).
1.6.2. Verify that Q is the authentic public key. (For example, verify the signature of a
certification authority in a certificate which has been truncated by the omission of
Q from the certificate.) If Q is authenticated, stop and output Q.
1.6.3. Change R to −R.

I'd be thankful if you represented the implementation of this as I don't understand what's R. Here's a pair of R, S, Z:

Code:

20206c79208eeb03c8ecab3c17a3e9efae5953460c71dff6306ecda4a12533c8, 3604945cde5ea4f3d3f3d4eb007a589b6763c25d5f765bbbadbd554f70abd8ad, 836d795b585d8014d3f015791d183da57e7caf6a678135c345af78b2bfa9317a

 I googled and found a stackexchange post, but I can't seem to get this:

First, you find the two points R, R′ which have the value r as the x-coordinate r.

Is R = r * G?

Also, if you can derive the public key from R, S, Z why do we have to provide it in the scriptSig? It only takes space and hence, makes the transaction fee greater.

[pooya87]

I'd be thankful if you represented the implementation of this as I don't understand what's R.

In python and in csharp and C

In an ECDSA signature "r" is the x coordinate of the point "R". You can compute the full point R(x,y) by assuming y was even for this case.

First, you find the two points R, R′ which have the value r as the x-coordinate r.

Essentially this is what we do when we are verifying transactions but the public key is compressed. But since there we have the y odd/even-ness we can compute only one point but if we don't know it (like the case with r) we have 2 points.

Also, if you can derive the public key from R, S, Z why do we have to provide it in the scriptSig? It only takes space and hence, makes the transaction fee greater.

Because recovering public keys is an expensive operation and if we omit public keys from our scripts then verifying blocks and transactions become slower. Also we can recover multiple public keys (up to 4 for secp256k1) which would make verification that much slower.
On top of that, we are using hash of the public key and public key has to exist to satisfy OP_SOMEHASH OP_EQUALVERIFY.

[mamuu]

https://github.com/Sean-Bradley/ECDSA_secp256k1_JordonMatrix_nodejs

https://github.com/Sean-Bradley/ECDSA_secp256k1_JordonMatrix_nodejs/blob/master/getPubKeyFromRSZ.py

[COBRAS]

https://github.com/Sean-Bradley/ECDSA_secp256k1_JordonMatrix_nodejs

https://github.com/Sean-Bradley/ECDSA_secp256k1_JordonMatrix_nodejs/blob/master/getPubKeyFromRSZ.py

Thanks. To All !!!

[fxsniper]

COBRAS,
Did you try idea puzzle #120 use that script flip/reverse convert from public key to R S Z and try use RSZ to recover private key.
I try read from code it is very complex math I can not code.
but it is good idea to try do it

[COBRAS]

COBRAS,
Did you try idea puzzle #120 use that script flip/reverse convert from public key to R S Z and try use RSZ to recover private key.
I try read from code it is very complex math I can not code.
but it is good idea to try do it

I dont know any nethod how to get privkey from only one sighnature, so i recomend not qaste your time to try get privkey only from one  z or rsz

[fxsniper]

I dont know any nethod how to get privkey from only one sighnature, so i recomend not qaste your time to try get privkey only from one  z or rsz

Ok,
I just understand method use RSZ is can use only if bad transaction/signature use same R value or other way use same nonce  or use something duplicate or share it will can find difference, but if not have sorting duplicate it can not use to find keys

https://github.com/Sean-Bradley/ECDSA_secp256k1_JordonMatrix_nodejs

https://github.com/Sean-Bradley/ECDSA_secp256k1_JordonMatrix_nodejs/blob/master/getPubKeyFromRSZ.py

How to fix this script
I found sometime script give result wrong by mission one zero at last y value for uncompressed pub key

uncompressed public key 130 character but script give result 129 character compare result it is missing one zero

[COBRAS]

https://github.com/Sean-Bradley/ECDSA_secp256k1_JordonMatrix_nodejs

https://github.com/Sean-Bradley/ECDSA_secp256k1_JordonMatrix_nodejs/blob/master/getPubKeyFromRSZ.py

How to fix this script
I found sometime script give result wrong by mission one zero at last y value for uncompressed pub key

uncompressed public key 130 character but script give result 129 character compare result it is missing one zero

https://github.com/iceland2k14/rsz